b'                                                OFFICE OF INSPECTOR GENERAL\n                                                                        MEMORANDUM\n\n\n\n\nDATE:          January 6, 2003\n\nTO:            Chairman\n\nFROM:          Inspector General\n\nSUBJECT: Report on Government Information Security Reform Act Evaluation - Findings\n         and Recommendations\n\nThe Office of Inspector General (OIG) has completed an evaluation of the Commission\xe2\x80\x99s\nInformation Security program in accordance with the Government Information Security Reform\nAct (Security Act). The Security Act requires that Inspectors General, or the independent\nevaluators they choose, perform an annual evaluation of each agency\xe2\x80\x99s information security\nprogram and practices. We contracted with KPMG, LLP to perform the independent evaluation.\n\nOn September 16, 2002, we issued a report, entitled \xe2\x80\x9cFY 2002 Government Information Security\nReform Act (GISRA) Independent Evaluation,\xe2\x80\x9d summarizing the results of our independent\nevaluation. As a result of the independent evaluation, we have concluded that the Commission\nhas a generally effective information security program with acceptable practices for managing\nand safeguarding the Federal Communications Commission\xe2\x80\x99s (FCC\xe2\x80\x99s) information technology\nassets. Our report, comprised of an executive summary and an independent evaluation, was\nincluded in a package of information provided by the Commission to the Office of Management\nand Budget (OMB) on September 16, 2002.\n\nDuring the independent evaluation, we identified areas for improvement in the FCC\xe2\x80\x99s\ninformation security management, operational and technical controls. The evaluation identified\neight (8) findings in the areas of management, operational, and technical controls. Additionally,\nwe determined that eight (8) of the conditions identified during the FY 2001 GISRA evaluation\nhad not been fully corrected at the time of audit fieldwork. In our opinion, implementation of\nour recommendations and correction of the conditions identified in the FY 2001 evaluation\nreport will strengthen the security of the Commission\xe2\x80\x99s information security program. These\nfindings are addressed in the attached report, entitled \xe2\x80\x9cReport on FY 2002 Government\nInformation Security Reform Act Risk Assessment and Evaluation,\xe2\x80\x9d (Report No. 02-AUD-02-\n06). This report is a byproduct of the independent evaluation required by the Security Act.\n\x0cOur recommendations will correct present problems and minimize the risk that future security\nproblems will occur in the FCC\xe2\x80\x99s information security program. All recommendations contained\nin the attached report will be tracked for reporting purposes by the OIG. Appendix A, Summary\nof Findings, provides a summary of the findings from this review. Appendix B, Detailed\nFindings and Recommendations, details the findings and recommendations from the review.\n\nIn its response dated December 9, 2002, the Office of Managing Director (OMD) indicated\nconcurrence with each with each of the findings and recommendations. For all findings, OMD\noutlined the corrective action taken and/or a milestone schedule for implementation of corrective\naction. We have included a copy of the response from OMD in its entirety as Appendix C to this\nreport.\n\nDue to the sensitive nature of the information contained in the appendices, we have marked them\nall \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only\xe2\x80\x9d and have limited distribution. Those persons receiving\nthis report are requested not to photocopy or otherwise distribute this material.\n\n\n\n\n                                      H. Walker Feaster III\n\nAttachment\n\ncc:    Chief of Staff\n       Managing Director\n       Chief Information Officer\n       Computer Security Officer\n       AMD-PERM\n\x0c Federal Communications Commission\n      Office of Inspector General\n\n\n\n\nFY2002 Government Information Security Reform Act\n   Evaluation \xe2\x80\x93 Findings and Recommendations\n\n\n\n               Report No. 02-AUD-02-06\n                   January 6, 2003\n\x0c                     TABLE OF CONTENTS\n\n                                                                     Page\n\nEXECUTIVE SUMMARY                                                      2\n\nBACKGROUND                                                             3\n\nOBJECTIVE                                                              4\n\nSCOPE                                                                  5\n\nOBSERVATIONS                                                           6\n\nAPPENDIX A          Summary of Findings                              A-1\n\n\nAPPENDIX B          Detailed Findings & Recommendations              B-1\n\n\nAPPENDIX C          Response from the Office of Managing Director,\n                    Dated December 9, 2002                           C-1\n\n\n\n\n                                 1\n\x0cExecutive Summary\n\nThe Government Information Security Reform Act (\xe2\x80\x9cGISRA\xe2\x80\x9d or \xe2\x80\x9cSecurity Act\xe2\x80\x9d) was\nsigned into law as part of the Fiscal Year (FY) 2001 Defense Authorization Act (Public\nLaw 106-398). The Security Act amended the Paper Reduction Act of 1995 by adding a\nnew subchapter on information security. The Security Act, which became effective on\nNovember 30, 2000, applies to all Federal agencies.\n\nA key provision of the Security Act requires that, beginning in Fiscal Year (FY) 2001,\nagency Offices of Inspector General (OIG), or independent evaluators, perform an annual\nevaluation of the agency\xe2\x80\x99s information security program and practices. The OIG engaged\nKPMG, LLP to conduct the FY 2002 independent evaluation of the FCC\xe2\x80\x99s information\nsecurity program and practices.\n\nThe purpose of the evaluation was to review the Commission\xe2\x80\x99s security program\nincluding, but not limited to, security policies, security architecture, business continuity,\nsecurity capital planning, critical infrastructure, and security program planning and\nmanagement. Our objective was to evaluate the effectiveness of the Commission\xe2\x80\x99s\ninformation security program by assessing the risk for each component of the program.\nAudit fieldwork began on May 17, 2002 and concluded on September 15, 2002 and was\nperformed at FCC Headquarters, Washington, DC.\n\nOur methodology was based upon the National Institute of Standards and Technology\xe2\x80\x99s\n(NIST) \xe2\x80\x9cSelf-Assessment Guide for Information Technology Systems (Self-Assessment\nGuide)\xe2\x80\x9d. Additional guidance was received from other NIST publications, the\nmethodology provided in the \xe2\x80\x9cFederal Information Systems Control Audit Manual\n(FISCAM),\xe2\x80\x9d Federal Information Processing Standards (FIPS) publications, and other\nlaws and directives pertaining to the protection of Federal information resources.\n\nOn September 16, 2002, we issued a report, entitled \xe2\x80\x9cFY 2002 Government Information\nSecurity Reform Act (GISRA) Independent Evaluation,\xe2\x80\x9d summarizing the results of our\nindependent evaluation. As a result of the independent evaluation, we have concluded\nthat the Commission has a generally effective information security program with\nacceptable practices for managing and safeguarding the information technology assets.\nOn September 16, 2002, our report, comprised of an executive summary and an\nindependent evaluation, was included in a package of information provided by the\nCommission to the Office of Management and Budget (OMB).\n\nDuring the independent evaluation, we identified areas for improvement in the FCC\xe2\x80\x99s\ninformation security management, operational and technical controls. Specifically, we\nidentified eight (8) findings in the areas of management, operational, and technical\ncontrols. Additionally, we determined that eight (8) of the conditions identified during\nthe FY 2001 GISRA evaluation had not been fully corrected at the time of audit\nfieldwork.\n\n\n\n\n                                               2\n\x0cPrior to issuing this report, we met with FCC management and staff about the facts\ncomprising the conditions identified in this report. A summary of the preliminary\nfindings was presented to FCC management at the Key Milestone Meeting on July 1,\n2002. In response, FCC management provided informal written comments on July 30,\n2002, which were reviewed and considered during the preparation of this report.\nSubsequent to the close of audit fieldwork, a preliminary draft of the Appendix B,\nDetailed Findings and Recommendations was forwarded to FCC Management on\nSeptember 26, 2002 for additional review and comment.\n\nOn November 4, 2002, we issued a draft report summarizing the results of our audit. In\nthat draft document, we requested that the Office of the Managing Director (OMD)\nrespond to the findings and recommendations presented in our report. In its response\ndated December 9, 2002, OMD indicated concurrence with each with each of the findings\nand recommendations. For all findings, OMD outlined the corrective action taken and/or\na milestone schedule for implementation of corrective action. We have included a copy\nof the response from OMD in its entirety as Appendix C to this report.\n\nThis report contains non-public information. In accordance with the Commission\xe2\x80\x99s\ndirective on the Management of Non-Public Information (FCCINST 1139), we have\nclassified all appendices as \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only.\xe2\x80\x9d Recipients of this\nreport are expected to follow the established policies and procedures for managing and\nsafeguarding the non-public information contained in this report as outlined in FCCINST\n1139.\n\n\nBackground\n\nOn October 30, 2000, the President signed into law the FY 2001 Defense Authorization\nAct (P.L. 106-398) including Title X, subtitle G, \xe2\x80\x9cGovernment Information Security\nReform Act\xe2\x80\x9d (GISRA). GISRA amended the Paperwork Reduction Act (PRA) of 1995\nby adding a new subchapter on \xe2\x80\x9cInformation Security\xe2\x80\x9d and applies to all Federal\nAgencies. The effective date of GISRA was November 30, 2000.\n\nA key provision of GISRA requires agency Offices of Inspector General perform an\nannual evaluation of the agency\xe2\x80\x99s information security program. GISRA also permits the\nOIG to select an independent evaluator to perform this evaluation. KPMG, LLP was\nengaged to perform the fiscal year (FY) 2002 independent evaluation.\n\nThe \xe2\x80\x9cSelf-Assessment Guide for Information Technology Systems (Self-Assessment\nGuide)\xe2\x80\x9d issued by the National Institute of Standards and Technology (NIST) provided\nthe framework for our methodology. As appropriate, we followed guidance prescribed\nby the \xe2\x80\x9cFederal Information Security Control Audit Manual (FISCAM).\xe2\x80\x9d We obtained\nadditional guidance from other NIST publications, Federal Information Processing\nStandards (FIPS) publications, as well as other laws and directives pertaining to the\nprotection of Federal information resources as listed below:\n\n\n\n\n                                           3\n\x0c\xc2\x84   Presidential Decision Directive (PDD) 63, entitled \xe2\x80\x9cCritical Infrastructure\n    Protection.\xe2\x80\x9d\n\xc2\x84   PDD-67, entitled \xe2\x80\x9cContinuity of Operations Planning (COOP)\xe2\x80\x9d.\n\xc2\x84   OMB Circular A-130, entitled \xe2\x80\x9cManagement of Federal Information Resources,\xe2\x80\x9d as\n    revised on November 30, 2000, including Appendix III, \xe2\x80\x9cSecurity of Federal\n    Automated Information Resources.\xe2\x80\x9d\n\xc2\x84   OMB Circular A-123, entitled \xe2\x80\x9cManagement Accountability and Control.\xe2\x80\x9d\n\xc2\x84   OMB Circular A-127, entitled \xe2\x80\x9cFinancial Management Systems\xe2\x80\x9d\n\xc2\x84   OMB M-01-08, entitled \xe2\x80\x9cGuidance on Implementing the Government Information\n    Security Reform Act,\xe2\x80\x9d dated January 16, 2001.\n\xc2\x84   OMB M-01-24, entitled \xe2\x80\x9cReporting on the Government Information Security Reform\n    Act,\xe2\x80\x9d dated June 22, 2001.\n\xc2\x84   OMB M-02-09, entitled \xe2\x80\x9cReporting Instructions for the Government Information\n    Security Reform Act and Updated Guidance on Security Plans of Action\xe2\x80\x9d dated July\n    2, 2002.\n\xc2\x84   OMB M-97-02, entitled \xe2\x80\x9cFunding Information Systems Investments.\xe2\x80\x9d\n\xc2\x84   OMB M-97-16, entitled \xe2\x80\x9cInformation Technology Architectures.\xe2\x80\x9d\n\xc2\x84   Federal Emergency Management Agency\xe2\x80\x99s Federal Preparedness Circular 65,\n    \xe2\x80\x9cFederal Executive Branch Continuity of Operations (COOP)\xe2\x80\x9d.\n\xc2\x84   The Computer Security Act of 1987 (PL 100-235).\n\xc2\x84   NIST 800-3, entitled \xe2\x80\x9cEstablishing a Computer Security Incident Response Capability\n    (CSIRC).\xe2\x80\x9d\n\xc2\x84   NIST 800-5, entitled \xe2\x80\x9cGuide to the Selection of Anti-Virus Tools and Techniques.\xe2\x80\x9d\n\xc2\x84   NIST 800-12, entitled \xe2\x80\x9cAn Introduction to Computer Security, The NIST Handbook.\xe2\x80\x9d\n\xc2\x84   NIST Publication 800-13, entitled \xe2\x80\x9cTelecommunications Security Guidelines for\n    Telecommunications Management Network.\xe2\x80\x9d\n\xc2\x84   NIST 800-14, entitled \xe2\x80\x9cGenerally Accepted Principles and Practices for Securing IT\n    Systems\xe2\x80\x9d.\n\xc2\x84   NIST 800-18, entitled \xe2\x80\x9cGuide for Developing Security Plans for IT Systems.\xe2\x80\x9d\n\xc2\x84   FIPS Publication 73, entitled \xe2\x80\x9cGuidelines for Security of Computer Applications.\xe2\x80\x9d\n\xc2\x84   FIPS Publication 112, entitled \xe2\x80\x9cPassword Usage.\xe2\x80\x9d\n\xc2\x84   FCC Instruction 1479.2, \xe2\x80\x9cComputer Security Program Directive.\xe2\x80\x9d\n\nOur procedures were designed to comply with applicable auditing standards and\nguidelines, specifically the Generally Accepted Government Auditing Standards\n(GAGAS).\n\n\nObjective\n\nOur objective was to evaluate the effectiveness of the Commission\xe2\x80\x99s information security\nprogram by assessing the risk for each component of the program. The specific\nobjectives of this review were as follows:\n\n1. Obtain an understanding of the Commission\xe2\x80\x99s Information Technology (IT)\n   infrastructure.\n\n\n\n                                           4\n\x0c2. Obtain an understanding of the Commission\xe2\x80\x99s information security program and\n   practices.\n\n3. Use the GISRA security assessment (i.e. NIST Self-Assessment Guide and FISCAM)\n   tools to evaluate the effectiveness of the Commission\xe2\x80\x99s information security program\n   and assess risk for each component of the program. At a minimum, the assessment\n   was required to include identification and ranking of the critical information system\n   threats to the FCC IT infrastructure on a risk vulnerability basis.\n\n4. Prepare the annual submission in accordance with the OMB reporting requirements\n   mandated under GISRA for FY 2002. In addition to preparing the annual submission,\n   the contractor was required to provide a detailed report that (1) identifies and ranks\n   the critical security risk factors and (2) contains observations and recommendations\n   for improvements, if any.\n\n5. Follow-up on the findings of the Fiscal Year 2001 GISRA review that are\n   documented in OIG report number, 01-AUD-11-43.\n\n\nScope\n\nThe scope of our independent evaluation included the security infrastructure managed by\nthe Office of Managing Director\xe2\x80\x99s Information Technology Center (ITC) and the\nAuctions Automation Branch of the Commission\xe2\x80\x99s Wireless Telecommunications\nBranch.\n\nThe FY 2002 independent evaluation encompassed a review of the Commission\xe2\x80\x99s\nsecurity program including, but not limited to, security policies, security architecture,\nbusiness continuity, security capital planning, critical infrastructure, and security program\nplanning and management.\n\nThe Security Act also requires that the OIG select an appropriate subset of agency\napplications for review. Our audits of the Automated Auction System and follow-up\naudit of computer control conditions at the FCC\xe2\x80\x99s Consumer Center, performed earlier in\nthe fiscal year, satisfied this requirement. The reports on the results of these audits were\nissued separately and can be found in OIG Reports 02-AUD-02-08, entitled \xe2\x80\x9cReport on\nAudit of the Automated Auction System,\xe2\x80\x9d and 01-AUD-07-30, entitled \xe2\x80\x9cReport on\nFollow-up Audit on Computer Controls at the FCC Consumer Center,\xe2\x80\x9d respectively.\n\nOur observations from the independent evaluation have been organized according to the\nNIST control areas of management controls, operational controls, and technical controls.\nThe control areas are defined below and the specific control techniques addressed by\neach are outlined.\n\n   Management Controls \xe2\x80\x93 Management controls focus on the management of the IT\n\n\n\n                                              5\n\x0c   security system and the management of risk for a system. They are techniques and\n   concerns that are normally addressed by management. The specific management\n   control objectives addressed were:\n\n   \xe2\x80\xa2   Risk Management\n   \xe2\x80\xa2   Review of Security Controls\n   \xe2\x80\xa2   Life Cycle\n   \xe2\x80\xa2   Authorize Processing (Certification and Accreditation)\n   \xe2\x80\xa2   System Security Plan\n\n   Operation Controls \xe2\x80\x93 Operational controls address security methods focusing on\n   mechanisms primarily implemented and executed by people (as opposed to systems).\n   These controls are put in place to improve the security of a particular system (or\n   group of systems). They often require technical or specialized expertise and often\n   rely upon management activities as well as technical controls. The specific\n   operational control objectives addressed were:\n\n   \xe2\x80\xa2   Personnel Security\n   \xe2\x80\xa2   Physical and Environmental Protection\n   \xe2\x80\xa2   Production, Input/Output Controls\n   \xe2\x80\xa2   Contingency Planning\n   \xe2\x80\xa2   Hardware and System Software Maintenance\n   \xe2\x80\xa2   Data Integrity\n   \xe2\x80\xa2   Documentation\n   \xe2\x80\xa2   Security Awareness, Training and Education\n   \xe2\x80\xa2   Incident Response Capability\n\n   Technical Controls - Technical controls focus on security controls that the computer\n   system executes. The controls can provide automated protection for unauthorized\n   access or misuse, facilitate detection of security violations, and support security\n   requirements for applications and data. The specific technical operational control\n   objectives addressed were:\n\n   \xe2\x80\xa2   Identification and Authentication\n   \xe2\x80\xa2   Audit Trails\n   \xe2\x80\xa2   Logical Access Controls\n\nEach finding has been further categorized by risk ratings of \xe2\x80\x98High\xe2\x80\x99, \xe2\x80\x98Medium\xe2\x80\x99, or \xe2\x80\x98Low\xe2\x80\x99.\nIn assigning ratings, we considered whether each condition, if exploited, could result in\nmisuse or loss FCC data, as well as the potential degree of exposure to the Commission.\n\n\nObservations\n\n\n\n\n                                            6\n\x0cDuring our independent evaluation we reviewed documentation provided by the\nCommission, reviewed previously performed special reviews and audits, conducted\ninterviews of Agency staff, and performed other activities of inquiry and observation.\nAudit fieldwork began on May 17, 2002 and concluded on September 15, 2002 and was\nperformed at FCC Headquarters, Washington, DC.\n\nAs a result of observations from the evaluation, we have concluded that the Federal\nCommunications Commission is dedicated to implementing and maintaining effective\nsecurity controls aimed at protecting its information resources. Our independent\nevaluation for the current fiscal year yielded several positive observations relative to the\nCommission\xe2\x80\x99s information security program and practices. Positive observations\nincluded the following:\n\n   \xe2\x80\xa2   FCC management has developed and implemented plans of action and milestones\n       (POA&M) for each of the FY 2001 GISRA findings. Several of the prior year\n       findings were determined to be fully remediated.\n\n   \xe2\x80\xa2   The FCC\xe2\x80\x99s IT Strategic Plan was published in final format in July of 2002. The\n       plan outlines near and long-term directions for the agency\xe2\x80\x99s IT architecture and\n       program and sets forth goals reflecting the core mission and values of the IT\n       program.\n\n   \xe2\x80\xa2   In accordance with OMB Circular A-130, system security plans were developed\n       for sixteen (16) of the Commission\xe2\x80\x99s seventeen (17) major applications and\n       general support systems. Rules of Behavior for application users were also\n       developed and incorporated into each of the security plans.\n\n   \xe2\x80\xa2   A Computer Security Strategic Plan is under development. The plan is intended\n       to address management, operational, and technical controls, physical protection of\n       information resources, and future computer security needs of the Commission.\n\n   \xe2\x80\xa2   The Computer Security Office has established the Computer Security Program\n       repository on the Commission\xe2\x80\x99s Intranet where FCC policies, procedures,\n       bulletins, and alerts on protecting agency\xe2\x80\x99s computer resources are easily\n       accessible to authorized users of the FCC\xe2\x80\x99s information systems.\n\nSince the prior year GISRA evaluation, the Commission has developed and published\nnumerous Computer Security Desk Reference Guides that provide technical procedures\nfor system administrators and developers for implementing the information security\nprogram and practices. Also, existing policies and procedures, such as the FCC\nComputer Security Directive, FCCINST 1479.2, have been updated as corrective\nmeasures to address findings reported by the FY 2001 independent evaluation. While\nthis is noted as a positive measure, we recommend that FCC management ensure that\nstaff and contractors responsible for implementing all new and updated policies,\nprocedures, and guidelines are made aware of requirements. Where applicable,\ndocumentation of adherence with requirements should be maintained and reviewed\n\n\n                                              7\n\x0cperiodically by FCC management to ensure security practices are being properly\nconducted.\n\nWhile the Commission has implemented numerous positive controls over its computer\nresources, we identified areas for improvement for management, operational, and\ntechnical controls. Specifically, eight (8) new findings resulted from the current year\xe2\x80\x99s\nindependent evaluation. The findings consist of three (3) findings related to management\ncontrols, one (1) related to operations controls, and four (4) related to technical controls.\nOf the eight findings, three (3) were assigned a risk rating of \xe2\x80\x98High,\xe2\x80\x99 four (4) were\ndesignated with a risk level of \xe2\x80\x98Medium,\xe2\x80\x99 and one (1) was designated as low risk1.\nAdditionally, from our follow-up on FY 2001 GISRA observations, we determined that\ncorrective actions have not been fully implemented for eight (8) of the prior year\nfindings.\n\nAppendix A provides the Summary of Findings from the independent evaluation.\nIncluded as Appendix B is the report of Detailed Findings and Recommendations,\nprovides detailed information on the conditions identified, criteria used to evaluate the\ncondition, effect, and recommendation(s). As prescribed by OMB M-02-09, \xe2\x80\x9cReporting\nInstructions for the Government Information Security Reform Act and Updated Guidance\non Security Plans of Action\xe2\x80\x9d, a plan of action for each finding identified during the FY\n2002 independent evaluation, including milestones and completion dates, should be\ndeveloped by FCC management. The plans should identify the corrective actions that the\nCommission intends to take to address control areas that need strengthening and identify\nany obstacles which may impede correction of deficiencies noted. Appendix B also lists\nthe conditions from the FY 2001 GISRA evaluation, which were determined to have an\nopen status from follow-up review work.\n\nOn November 4, 2002, we issued a draft report summarizing the results of our audit. In\nthat draft document, we requested that the Office of the Managing Director (OMD)\nrespond to the findings and recommendations presented in our report.\n\nIn its response dated December 9, 2002, OMD indicated concurrence with each with each\nof the findings and recommendations. For all findings, OMD outlined the corrective\naction taken and/or a milestone schedule for implementation of corrective action. We\nhave included a copy of the response from OMD in its entirety as Appendix C to this\nreport.\n\nThis report contains non-public information. In accordance with the Commission\xe2\x80\x99s\ndirective on the Management of Non-Public Information (FCCINST 1139), we have\nclassified all appendices as \xe2\x80\x9cNon-Public \xe2\x80\x93 For Internal Use Only.\xe2\x80\x9d Recipients of this\nreport are expected to follow the established policies and procedures for managing and\n\n1\n    Each finding was evaluated to determine its degree of exposure based on the following risk ratings.\n    High: Security risk can cause a business disruption, if exploited. Medium: Security risk in conjunction\n    with other events can cause a business disruption, if exploited. Low: Security risk may cause operational\n    annoyances, if exploited.\n\n\n\n                                                       8\n\x0csafeguarding the non-public information contained in this report as outlined in FCCINST\n1139.\n\n\n\n\n                                           9\n\x0c'